Encryption
Raytio uses end-to-end encryption to protect your data. This means your information is encrypted on your device before it is sent to our servers. Raytio cannot read your data — only you and the people you choose to share it with can.
This page explains how encryption works in Raytio, why it matters, and what you need to know to keep your data safe.
What gets encrypted
Not all data in Raytio is automatically encrypted. Two conditions must both be true for a piece of data to be end-to-end encrypted:
- The user has encryption enabled — encryption is a per-account capability. If an account does not have encryption enabled, all data is stored in plain text on the server (still protected by TLS in transit and encryption at rest, but readable by the server).
- The field is marked as encrypted — each field in a schema can be individually configured with an
encrypt: trueproperty. Only fields with this property are encrypted before being sent to the server.
This means that within a single form submission, some fields may be encrypted while others are not. For example, a schema might encrypt sensitive fields like passport numbers or tax identifiers, while leaving non-sensitive fields like country of residence unencrypted so they can be used for filtering or reporting.
Fields that are not end-to-end encrypted are still protected by standard security measures (TLS in transit, encryption at rest on the database), but they are readable by the server and by anyone with authorised database access.
Whether a field is encrypted is determined by the schema configuration, not by the user. Users with encryption enabled will have their data encrypted for any field the schema marks as encrypt: true.
Why end-to-end encryption?
Most platforms encrypt data "at rest" on their servers and "in transit" between your browser and their servers. This protects against external attackers, but the platform itself can still read your data.
Raytio takes a different approach. Your data is encrypted on your device using keys that only you control. The encrypted data is then sent to Raytio's servers, where it is stored without Raytio ever being able to read it. This is called end-to-end encryption because the data is protected from end to end — from your device to the recipient's device.
This design means:
- Your data is private — not even Raytio staff can access it
- A server breach doesn't expose your data — attackers would only get encrypted data they cannot read
- You control access — only people you explicitly share with can decrypt your data
How your encryption keys work
When you create a Raytio account, a set of encryption keys is generated on your device. These keys are used to encrypt and decrypt your data. Understanding how they relate to each other helps explain why your password and Local Secret are so important.
Key hierarchy
Your encryption keys are organised in layers:
Your Password + Local Secret
↓
Key Encryption Key (KEK)
↓
Encryption Key Pair (public + private)
↓
Your Encrypted Data
- Your password and Local Secret are combined to derive a Key Encryption Key (KEK). This is a master key that protects everything else.
- The KEK encrypts your private encryption key. Your private key never leaves your device unprotected.
- Your encryption key pair (a public key and a private key) is used to encrypt and decrypt your actual data.
Your public key is stored on Raytio's servers and is visible to other users. This is safe because a public key can only be used to encrypt data — it cannot decrypt anything. This is the same principle used in technologies like HTTPS and email encryption (PGP/GPG). Your personal public key is used to protect the private keys of any Access Applications you own (see Sharing encrypted data below).
Your private key stays encrypted and is only decrypted locally on your device when you enter your password. It is never exposed to Raytio's servers in an unencrypted form.
Two-Secret Key Derivation (2SKD)
Raytio uses a security model called Two-Secret Key Derivation (2SKD), inspired by leading password managers. Instead of deriving your encryption key from your password alone, two independent secrets are required:
- Your password — something you know
- Your Local Secret — something your device has
These two secrets are combined to create your Key Encryption Key. Neither secret alone is enough to access your data:
- If someone learns your password (for example, through a phishing attack), they still cannot decrypt your data without your Local Secret
- If someone gains access to your device's storage, they still cannot decrypt your data without your password
This two-factor approach significantly strengthens the security of your encrypted data.
What is the Local Secret?
Your Local Secret is a randomly generated code that is stored on your device. It looks like this:
A7K2M9-X4P8N3-B5J1L6-Q9W2R8-T3Y7U0-V6Z4C1-...
The Local Secret uses an easy-to-read character set that avoids commonly confused characters (such as 0/O and 1/I). It is grouped into blocks separated by dashes for readability.
When you create your account, Raytio generates your Local Secret and asks you to save a copy. You will need this Local Secret when you sign in on a new device.
Your Local Secret is never sent to Raytio's servers. It exists only on your device. If you lose it and do not have a backup, you will not be able to access your encrypted data on a new device.
Password and key derivation
Raytio uses the Argon2id algorithm to derive your Key Encryption Key from your password. Argon2id is a memory-hard key derivation function that is specifically designed to resist brute-force attacks, including attacks using specialised hardware (GPUs and ASICs).
The derived key from Argon2id is then combined with your Local Secret using a mathematical operation (XOR) to produce the final Key Encryption Key.
This process means that even if an attacker obtains your encrypted keys from the server, they would need both your password and your Local Secret to derive the KEK, and the Argon2id algorithm makes it extremely slow and expensive to guess your password through brute force.
Accounts created before the introduction of 2SKD use the PBKDF2 algorithm for key derivation, which derives the KEK from the password alone. These accounts are automatically upgraded to the more secure 2SKD method when you next sign in.
Encrypting and decrypting data
All sensitive data in Raytio is encrypted using AES-256-GCM, a widely trusted encryption standard used by governments and financial institutions worldwide. Each piece of data is encrypted with a unique random initialisation vector, ensuring that even identical data produces different encrypted output.
Encryption and decryption happen automatically in your browser:
- Saving data: When you save information (such as a profile object), Raytio encrypts it on your device before sending it to the server
- Viewing data: When you open encrypted information, Raytio retrieves the encrypted data from the server and decrypts it on your device
You do not need to manage encryption manually — it happens transparently as you use the platform.
Sharing encrypted data
Raytio allows encrypted data to be shared between users and between organisations without the data ever being decrypted on the server. Each Access Application has its own encryption key pair, and a system called WADEK (Wrapped Application Data Encryption Key) handles the secure transfer of encryption keys between applications.
AA owners can also grant other users in their organisation access to an Access Application, allowing team members to decrypt and view submissions without compromising the encryption model.
For a detailed explanation of how sharing, Access Application key pairs, team access, and WADEK re-wrapping work, see How Data Sharing Works.
Using multiple devices
Your Local Secret is stored on each device you use. When you sign in on a new device for the first time, you will be asked to enter your Local Secret. After the initial setup, you won't need to enter it again on that device — it is securely stored in your browser's local storage.
This design means your encrypted data is accessible from any device, as long as you have your password and Local Secret. However, it also means you must keep your Local Secret backed up — if you lose access to all your devices and don't have a backup, your encrypted data cannot be recovered.
Key backup and password changes
Because Raytio cannot access your encryption keys, keeping a backup is essential. Raytio provides a backup key file that contains your encryption keys and Local Secret for disaster recovery.
Do not store your backup key file on the same computer you use to access Raytio. If your computer is lost, stolen, or compromised, both your Local Secret and your backup would be at risk. Instead, store the backup on a USB drive, external hard drive, or other storage device that is kept separately and not normally connected to your computer. A password manager is also a suitable option.
When you change your password, Raytio derives a new Key Encryption Key and re-encrypts your private keys with it. Your underlying encryption keys remain the same — only the key that protects them changes. This means all your existing encrypted data remains accessible without re-encryption. A new Local Secret is generated as part of this process.
For step-by-step instructions, see these how-to guides:
- Export Keys — download a backup of your encryption keys
- Import Keys — restore your encryption keys from a backup
- Change Password — change your password and generate a new Local Secret
Summary
| Concept | What it means |
|---|---|
| End-to-end encryption | Data is encrypted on your device before being sent to Raytio — only you and your chosen recipients can read it |
| Two-Secret Key Derivation (2SKD) | Your encryption key is derived from both your password and a device-bound Local Secret, providing two-factor protection |
| Local Secret | A randomly generated code stored on your device, required alongside your password to derive your encryption key |
| AES-256-GCM | The encryption standard used to protect your data |
| Argon2id | The key derivation algorithm that makes brute-force password attacks extremely difficult |
| WADEK | The key-wrapping system that allows secure data sharing without exposing your encryption keys |
| Backup key file | A downloadable file containing your encryption keys and Local Secret for disaster recovery |